HeartBleed Bug

By now you have heard news about the Heartbleed / OpenSSL vulnerability that is sweeping the internet. Since getting wind of the problem many programmers, website owners, and other security professionals have been working around the clock to secure their websites.

It’s still very early in the process and as of 4/10/2014 many operators have not yet addressed publically whether their sites were safe or affected. Lists are popping up that show safe and vulnerable websites. However, the status of the website is as of a snapshot in time. Thus, if a website operator was vulnerable but patched their website on Wednesday morning and the test was run on Wednesday afternoon, they may give you a false sense of security. Thus, it is not safe to rely on these lists to assess whether or not your accounts were affected since this vulnerability has been present for 2 years.

What is the issue?

This is not a virus or a hack. This is a vulnerability in the programming code that allows intruders to get through the security “wall” that protects many websites. This hole allows hackers to compromise the digital keys used to identify websites and encrypt the info. It also provides a look at unencrypted data as it passes over the internet onto web servers.

Think of it this way: You moved into a new house 2 years ago. You always lock your doors whether you’re home or away and have 24/7 alarm system. However, while you were painting your front door, you noticed a secret latch on the outside that releases the locks and allows strangers to walk in your front door. While in, they can grab your wallet, social security numbers, usernames, passwords, etc. as if they have a key to the house. There’s no way to tell if anyone has accessed the house, but the opportunity has always been there. Thus, the problem is not “backdoor” access to secure websites… hackers can waltz right in the front door.

I have told people for yearsnever to log into a website, provide credit card numbers or any other sensitive information unless the URL address is preceded by https://. The https://, the padlock and the green color indicate that several things have happened behind the curtains, including:

Verification that the website is really who they say they are – your browser verifies digital certificates to confirm that www.gmail.com is really Gmail.

Encrypts the data as it passes across the internet – thus, if someone intercepts your username, password and credit card as it passes across the internet to a web server, it’s scrambled and completely useless to a hacker.

Unfortunately, this vulnerability compromised that security, leaving your passwords, usernames & credit card numbers vulnerable on affected web servers. With that said, you should still follow these rules going forward. They just have not provided the security that we all expected for the last 2 years.

Am I affected?

At this point, it’s not entirely clear which sites are affected – the development is so new that many web site owners are still scrambling to assess and apply patches. While you can check the lists referenced above, they are as of a point in time. Your best approach is to either check in with your online providers (banks, shopping sites, email providers, etc) to find out whether they were affected, whether they have corrected the problems and what course of action you should take to protect yourself.

Is this a virus?

NO. Despite the subtitle of an Associated Press news article I read Wednesday morning, this is not a virus, but a security hole. According to a Google search

Virus: a piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data.

Thus, running antivirus software or active scans will not detect or remove the problem.

What should I do?

The first step in securing your accounts is to change passwords for all of your online accounts. But don’t jump out there and do it yet. As of this writing (7AM EST on 4/10/2014) many websites have not applied the patches to OpenSSL so your changes would be made in vain.

You should already be in the habit of changing your passwords to critical sites every 3-6 months. You’re not? Neither is the rest of the world. As such, use this as a wake-up call to freshen up your passwords. Be sure they’re complex and use the following guidelines as minimum:

Do not use your name, your user name, family names or familiar numbers, like your birthdate or home address.

Avoid dictionary words.

Use a passphrase instead of a password.

Passwords should be at least 8 characters long.

Employ characters from at least 3 of the 4 following groups:

Uppercase letters;

Lowercase letters;

Numbers;

Symbols;

A brief list of the internet’s most popular sites and whether or not they were affected is available here.

As always, feel free to contact me if you have questions about this problem. If you want additional information on the bug, check out these articles: